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1.0. Executive Summary 

1.1. Background 

1.2. Key Objectives 

1.3. Key Results 
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7.2. Design and Operations Recommendations 

7.3. Recommendations for Continuing Risk Assessment and Management Work 



Appendix A. Space Shuttle Integrated Loss of Vehicle Model 
A.l. Integrated Space Shuttle LOV Fault Tree Model 
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Auxiliary Power Unit and Hydraulic Power Unit Analysis Report 




3.1. Accident Sequence Schematic 

3.2. Shuttle Probabilistic Risk Assessment Modelling Mechanics 








1.1. Summary of PRA Results: Estimated Loss-of-Vehicle Frequency 

1.2. Risk Summary Statistics of Most Significant Accident Sequences 

1.3. Summary of Top 20 Risk-Contributing Accident Sequences 

1.4. Comparison of Current Shuttle PRA Ascent Results and Previous Studies 
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6.1. Summary of PRA Results: Estimated Loss-of-Vehicle Frequency 

6.2. Comparison of Current Shuttle PRA Ascent Results and Previous Studies 

6.3. Summary of Top 20 Risk-Contributing Accident Sequences 

6.4. Risk Summary Statistics of Most Significant Accident Sequences 

6.5. Estimated Loss-of-Vehicle Frequency for Base and Sensitivity Cases 
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Secondary objectives were to provide a vehicle for introducing and transferring PRA 
technology to the NASA community, and to demonstrate the value of PRA by applying it 
beneficially to a real program of great international importance. 



This section summarizes the most important results of the Shuttle PRA in a number of 
formats. Paragraph 1.4 discusses some of the salient implications of these results. 


<D O 

42 ft 
+-> <u 

S 3 g 


M t 

& V) 

111 

ts *3 

G s -o 
O O 2 
_ G 
O ► — \ O 
O ^ ft 

ns 

£ CO £ 
rj O U 

y g 

3 S.J 

2 vi « 

•S o 

£ t3 <-» 
•Z3 o S 

12 1 
u 0 - -C 
c <u u 

'M3 

4h 3 
^ o 42 


r-H rG 

.a « . 

c g * 

&£■ 

<2 


fi 

2 JS 

S ^ 


* a 

. g T2 « 

> u 

f— ( on 
CS ^ 

g 8 ■ 
.2 a 

.5 x 
-o ^ " 

■a^ 

8 a 

t— ( t_ i 

O <D 
45 G 

> <D 
*> W) 0 

1 1 . 


D 

45 M 

-*-> </3 


4 h TD ’ 
O OJ 

s «§ 

•B •o ■ 

c £*' 

«2‘g. 

>» c 


■*-* -*-» 
o' x 2 

45 V G 

J J <2 

2 c ^ 
ft 5 cj 

o. o ‘3 

12 f 

o 2 110 

S |) = S3 

3 £ 

§ ^ 2 
got 
<3 2 
a- g * 

r D U 

?|.S 

^ G J-H . 


G ^ 

c3 >> 

45 ^ 

V, c ' 

D fl) 

If 


IH * H * HsH * HIH * 


J Hp Hi Hi HE HI HI 


J Hi Hs HI H| HS Hi 


I Hi MS H§ Hg Hi HI 


a ~ 

J3 


1 3 1 

C on u. 

E 2 2 
g o 

43 > S 
c ^ ~ 
.2 ao 

</> O 4-< 
•S ~ H3 

e ai 

.§ g ■! 

G 5 > 

3j a <d 


It 

s S t 

1 £ 

■ U 2 
X 5 45 

■2 $ 

2 o 1 

•O 4_i 


G G ’ 
D S 
T 3 O « 

I K\ 


.S t3 
S? D, 


£ UJ _ 

w s S “ 

& 6 S "2 fc 




Figure 1.1. LOV Risk Uncertainty Distributions for Total Shuttle Mission 
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Figure 1.3. Distribution of Mean Loss-of-Vehicle Risk Among Mission Phases. 
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The "risk drivers" of a system or operation are the factors that dominate the total risk, and 
consequently should be targeted for further evaluation and potentially for risk-mitigation 
efforts. The PRA process identifies an event or accident sequence as a risk driver when (1) 
its occurrence leads to loss of vehicle with little or no chance of recovery, (2) it has a high 
probability of occurrence, and/or (3) its likelihood or consequences are subject to so much 



















Table 1.3. Summary of Top 20 Risk-Contributing Accident Sequences. 
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Figure 1.5. Comparison of Current PRA Ascent Results with Previous Risk Studies 






1.4.2. Risk Dominance of Propulsion Systems. 
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1.4.3. Risk of Mission Intervals. 
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Figure 1.10. Comparison of Total Mission Risk Contribution to Percentage of CILs 



In the interest of maximizing cost-effectiveness by focusing on the major risk drivers while 
de-emphasizing secondary risk issues, the risk assessment team established the ground rules 
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assumptions) were analyzed in detail Other, smaller risk contributors were represented by 
conservative estimates. 
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• identify and prioritize the design, construction, operation, maintenance, and management 
factors which contribute to risk. 



Figure 1.1 1. A Generic Accident Scenario for Probabilistic Risk Assessment 
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statistical analyses — which integrate information on the configuration and the normal and 
abnormal operation of the system with data on the likelihood of initiating events and the 
success or failure of pivotal events. Figure 1. 12 on the next page is a top-level flow chart of 
the Shuttle PRA showing how information sources and models interact to produce the results. 


T3 T3 ’ 

§ % a 
g ° &. 


*2 tS O 

a a % . 

3 a ^ 

c •s a • 

. *5 

■ g- a c: 

Ego 

8 * | ' 

£ § J • 

& C/5 ! 

S * 3 1 
*3 S' 
•SJ S 
.s a § 

3 1 1 , 

1 J u 

^ l-g 

83 8 

•s g *S 

: as g 

o 0) 

i .S £ 

r' 3 13 -G 
i c .y 
' o2 

2 2 5 
1 2 

| ^ <3 £3 

! g ° 3 

! -5 O 2 



o £ 

c ^ 
o S : 
•a , 

Q r*. 


a 

c ^ 

1 

•g I 3 

■a a?. 

sis 

3 d -3 

m .2? a 

22 co CX 

2 S < 









































































I 


m i m 

I M 


^jiSkJ 


While NASA has always emphasized safety in design and operations, especially for crewed 
spacecraft, the Challenger accident brought home the need for a systematic, quantitative, and 
defensible way to evaluate flight risks and to identify and prioritize the factors that contribute to them 
so they can be targeted for improvement. In the late 1980s successful experience in a variety of 
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Figure 2.2. Relationships Between the Shuttle 
PRA and Previous Shuttle Risk Assessments 
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'Passive configuration anomalies such as undetected cracks in systems or undetected breaches in pressure 

boundaries are considered 
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To avoid having to cany models of systems that are inactive or no longer present through the entire 
risk model, the nominal mission is divided into three phases referred to as ascent, orbit, and descent, 
and the three phases are represented by distinct but interrelated sub-models within the integrated risk 
model. The phases are defined by the boundary events listed in Table 2.2. 




s 

s 

8 

1 

< 

■a 

2 

0) 

5 


05 

o< 

8 

C/5 

rn 

ri 


g r 

O bX) 

o< oi 

0 w 

G QJ 
CO X 

1 1 
Si 

1 3 

o <u 
/—v *5 

c » 

.5 T) 

« ‘3 

tg G 

c ° 

.5 &0 

cc .2 

D- P 

as g 
x 3 
•3 8 

£ 2 
r S2 
W) o 

flj G 

’sX' -1-H 

4 — > 

• f"H 

G c 

o .5 

*G 05 

a 53 

•- a 

| | 
on g 
u « 

Ui TD 

.p -S 

G 

O 

Se 

•P P 


X 2 

0 x 

G w 

•a .1 3 

im ^ X 

2 o 

1 s 

ft ■§ 

5 g 


,S 2 


.8 


3 £ 
8-3 
=2 5 

c $ 
§> 8 
05 05 

Cxo G 
.g bX) 
g G 

X *g 
c 8 


> 

05 CO 
CO • *-H 

a •§ 

JZ c 

c« 5 

2 O 

g & 
8 -j§ 
13 p 
g . 
2 & 
g G 

05 1m 

•s a 

§ 

r> 1 m 

il 

JJ o 
§ 

■ 8 3 

8 3 

co 05 

8 2 

3 3 

3 ^ 

G X 

05 «-» 

I o 

•§* C 

Si 2 
© !*3 

o "o 

6 ° 

Cl 1m 

G O 

CO 

X) 

G 
G 
O 


05 

oS 

G 

fH 

•s 

* 

1 

cd 

•s 

52 

2 
O 
f cd 

^<—i 

W) 

G 

• *— < 

> 

X 

X 

i 

x 

4 -* 

G 

cd 

.s 

s 

o 

x 

05 

G 

5 -d 
w) 5 

G *o 

X 3 


G 

co 

G 

05 

05 


G 

§ 

I 


bX) 


B 

id 

x 

G 

04 


X 

£ 

& 5 b 

& 2 
O G 
CO CIh 

05 05 

X 3 

3 3 
8 £ 

2 <U 

3 £ 
Q <*H 

.2 ® 
'3 o 

•a c 

8 8 


§ 

*8 

3d 

•s 

o 

U 

J5 

"3 


CO 

G 

.2 

X 

cd 

05 


3 


Gl 


a 


a q 


■S 

T3 

S 

I 

Tf 

fO 

ri 


X) 

G 

G 

JJ 

T3 


a 


cn 

ri 


a) co 
P3 o 
tw ’d 
° 2 
oa S 
G Ca 

‘S 60 
S .Q 


2 

G «2 

33 'C 

a 2 
•S& 

G 


G 


a -a 3 


sS 


X5 

I 

4— • 

G 




d X) 

(D - 

04 


co 

e 


•g S 3 2 


o 

CO 

05 

1— H 

05 CO 

1m 

O 

O 

4 — » 

£ § 

G 


G X 

bX) 

05 

G G 


T3 

go .a 

05 

G 

g <a 

x> 

05 

2 ^ 

G 

G 

S o 

• pH 

CO 

(1 ’i 

CO 

- 


^ G co 
O &D 

4-» ;*-H X3 


i 

w 

c 

o 

‘8 

u> 

G 

bit 

id 

c 

o 

U 

0) 


X 

<D 

> 

ri 

cn 

ri 


13 

^ C/i 


G 

O 

;d 

‘g 

bo 

*»*-t 

(D 
G 
• ^ 
bo 
G 
(U 

.S 

c G 

B 

G 

G 

O 


<D X3 

•S 2 

gp-3 
q *s 

G 
O 
o 


.a o 
o 2 

1 1 

O £ 

2 ,3 

O O 

a ^ 

D O 

CO b 

05 G 
X O 

2 ^ 
G 05 

^ .9 

CO OX) 
-h G 
O 05 

a 05 

ii 

B0 C 

... G o 

3 ‘-3 -S 


2 a 

1m 

G 

bX) 

td 
G 
O 
05 

05 
G 
b0 


05 

CO 


.a s 


05 

X 


X 

05 

G 

co 


3 


•o 

u 

E 

3 


52 

n> 

1 

o 

G 


O 

2 

G 

C 

a 


I 

CO 

Ul £ 


o 

• fH 

X 

05 

> 

05 


G 

X 


^ s 

G § 

O ° 
o <D . 
- 8 -2 

S G G 

p 8 I 

X G 
05 bX) co 
a§2 

.52 sf .S 


G 


CO 

05 

U 

G 

2 

.05 




PI 


2 

I 

O 

cn 

G; 

cr 

ri 


05 

a i 

05 < 

s 2 

4 — » 

05 G 

11 

bb u 

05 0^ 

w *S 

4 —* ^ 

05 g 

£ - S 
G -a 

s e 

■S 

G ^ 
G 

52 o 
.3 8 
•e § 

O a> 
2 

*5 /■— ' s 

CO 

bX) G 
G O 

2 ’ss 

P CO 


2 


co 

05 

G 

8 

.<D 


G 

O 

*x 
2 

_ G 

ia ^ 

X i 

*o &x> 

Vm G 

° J3 
^ fe 
8*2 

fts g 

co X 

s « 

o o 
•g d 

G *c2 
U X 

X o 

& B 

E 

■ o 


-a 

*d 


05 
05 
G 

s 8 

H G 


8 

i 

e 

3 

Kfl 

t 

O 

X 

G 

O 

S 

ir> 

fO 

ri 


dn' TD 


f 8 


s 5 

n 


E 


8 



Preliminary screening risk assessments indicate that the loss-of-vehicle risk during the landing phase 
of the mission is a relatively small — although still potentially significant — contributor to total flight 
risk. However, assessing this risk through detailed modeling would be very resource intensive 
because a significant human factors analysis effort and human reliability analysis would have been 
needed to evaluate the risk effects of critical flight crew actions. To conserve resources for the 
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Figure 2.4. A Generic Accident Scenario (or Sequence) for Probabilistic Risk Assessment. 
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Figure 2.5. Task Network for a Generic Probabilistic Risk Assessment. 
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( 6) Phenomenological Analyses. Any phenomenological analyses needed to support the probabi- 
listic analysis are performed, usually by design and systems engineers supporting the PRA team. 
An engineering analysis to determine the minimum acceptable performance ("success criteria") of 
a risk-critical system or component is an example. 
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The basis of PRA is the development of scenarios. Scenarios may be thought of as strings of 
events which lead to consequences which are undesired. Each scenario begins with a set of 
"trigger events", sometimes called an initiating event category, and ends with an end state. 
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It is typical to depict an overview of the system response to an initiating event in a diagram called 
a functional event sequence diagram (FESD). An FESD represents scenarios in terms of initiating 
events, pivotal events, and damage states. Construction of an FESD makes use of an inductive 
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identified initiating event category has a different system response. Ultimately, a level of detail will 
be reached such that enumerated events have the same system response. Development of the 
diagram stops at the interface between these levels of detail. 
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Certain pressures and temperatures must be maintained within the Orbiter to assure that 
both hardware and crew are able to perform there allotted functions. This is especially critical 
during re-entry where ambient temperatures may reach 2200°F. 
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In PRA, the fundamental viewpoint is probabilistic. The complexity of the potential scenarios (as 
indicated in the previous sections) demand that the uncertainties in knowledge of these processes 
be accounted for. Uncertainty may originate from the inherent variation of a physical process 




i 

cn 



SISAlKuy U V 




This section of the technical report describes the acquisition, evaluation and analysis of Shuttle- 
specific and applicable surrogate performance and failure data for use in quantifying the Space 
Shuttle PRA risk models. 




2 Unlike, say, a nuclear power plant, the Shuttle has no standby safety systems that can be out of service for preventive 
maintenance when needed to interrupt an accident sequence. Thus it was not necessary to develop maintenance 
unavailability data for the current PRA. However, this will definitely not be true for the PRA of a long-term facility such 
as the Space Station and may also no longer be true if ground support systems are added to the scope of the Shuttle risk 
assessment. 



Mean values of failure rates for the dominant time-related failure modes and/or failure-on- 
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The data utilized for the quantification of the PRA models was not limited to information obtained 
from the Shuttle program. Although the Shuttle specific data is the most relevant to this effort, the 
quantity of data available was at times not statistically significant, therefore many potential sources 
of data were studied in an effort to be as comprehensive as possible. The information available to 
quantify the PRA model may be classified according to the following taxonomy: 
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environments. The applicability would be still lower for non-Shuttle grade equipment test 
information due to the difference in certification requirements. Launch vehicle equipment is only 
a fair match to Shuttle equipment, but is still preferable to non-launch vehicle component data, 
whose correspondence to the design and environment of Shuttle equipment can be quite poor. The 
fact that Shuttle equipment is reliable to begin with means that the pool of directly applicable 



Table 4.1. Data Type General Characteristics 



component failure information is rather small. The data analyst therefore may have no alternative 
in some cases than to access albeit less applicable information to at least scope out the range within 
which Shuttle data may fall. 
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PR AC A) reports. Still, these requests led to the discovery of other data sets which might 
complement or supplement the PRACA records. These sources are listed by data type category in 
Table 4.2. 



Table 4.2. Example Data Types Used in Shuttle PRA 
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In the case of the Auxiliary Power Units (APUs), a nominal operating time per mission was 
estimated and was multiplied by the number of missions within the study data window. 
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5.1.1. Space Shuttle Main Engines and Main Propulsion System 
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1 The actual operation time may vary due to changes in mission characteristics, the 
variation has a negligible affect on the risk posed by the system and therefore the nominal point 
estimate is used throughout the study. 



irw* u oi truno u <u mine 

«ZiO nro iwimSXM iwnv*S»<M 




<N 






Table 5.1. SSME Defined Redline Parameters and Limit Exceeded Definitions 
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SSMEs, and an additional 3,700 pounds of propellant remain trapped in the orbiter’s MPS feedlines. 
This 5,400 pounds of propellant represents an overall center-of-gravity shift for the orbiter of 
approximately 7 inches. Non-nominal center-of-gravity locations can create major guidance problems 
during entry. The residual liquid oxygen, by far the heavier of the two propellants, poses the greatest 
impact on center-of-gravity travel. 




Figure 5.2. Main Propulsion System Schematic 







The liquid hydrogen trapped in the orbiter feedline manifold is expelled overboard under pressure 
from the helium subsystem through the liquid hydrogen fill and drain valves for 6 seconds. The 
inboard fill and drain valve is closed, the three liquid hydrogen prevalves are opened, and liquid 



hydrogen flows through the topping valve, between the inboard and outboard fill and drain valves, 
and overboard through the outboard fill and drain for approximately 88 seconds. The GPCs 
automatically terminate the dump by closing the two liquid hydrogen manifold pressurization valves 
and 21 seconds later closing the liquid hydrogen topping and outboard fill and drain valves. 






pressure buildup between the inboard and outboard valves. Finally, the PNEUMATICS He ISOL 
is taken to the GPC position since there is no longer a need to operate the pneumatic valves. This 
action removes power from the valve, causing it to close. 
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Each of the larger tanks is plumbed to two of the smaller supply tanks, forming three clusters of three 
tanks. Each set of tanks normally provides helium to only one engine, however, cross-ties exist such 
that helium from one system may be routed to support another engine. This may be necessary if a 
leak is detected and isolated in one of the systems. Such cross-overs are instituted by the crew which 
controls the positions of the cross-ties from the cockpit. 
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6 The "droop 109" call by the mission controller signifies that the Shuttle has attained an 
energetic state which should make an abort with only one engine operational possible. 



The following anomalous conditions were identified as initiating events which could cause a redline 
condition: 

• Loss of MCC Pressure 

• Loss of Gross H2 Flow 

• Loss of Fuel to Both Prebumers 
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Studies conducted at both Rocketdyne (Ref 8) and at MSFC (Ref 9) have demonstrated a 
modest but consistent growth in the reliability of the SSME with each subsequent configurational 
change. 
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There is a number of ways in which a failure may cause an abnormal shutdown but only two critical 
functions need to be performed to avoid catastrophe. Firstly, the OPOV must be closed; failing to 
do so will cause a LOX rich shutdown which was considered to lead to bumthrough. Secondly, the 
oxidizer prebumer must be purged with helium to avoid subsequent mixing of residual oxygen and 
hydrogen which is considered to lead to a catastrophic explosion. 
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between different leak rates and potential for catastrophic failure. 
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drop which can lead to ice formation on the heat exchanger coils. Once a redline is detected the 
only remaining question is the successful shutdown of the engine. 
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Once an emergency shutdown is commanded the processes for satisfying tl 
command must be performed successfully to avoid catastrophic failure. Tl 
most critical functions are closing the OPOV and purging the OPB. 


















Table 5.6. Loss of Fuel to Both Preburners Event Descriptions 
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Table 5.8. Fai ure to Maintain Proper SSME Propellant Valve Position Event Descriptions 

SMEVP SSME propellant valves must be maintained at ±10% of their commanded 
positions. Failure of any one valve to do so will result in a Servovalve Error 
Indication Interrupt (SE13). Upon the generation of a SEE the Controller de- 
energizes the fail-safe servo-switch in all five propellant valves. 





















Table 5.10. Structural Failure of Critical SSME Components Event Descriptions 
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Table 5.13. Helium System Leakage Event Descriptions 

SMELH The helium system is designed to leak before rupture. Leakage may occur from 
the supply tanks or along any of the plumbing including the Pneumatic Control 
Assembly (PCA) in the SSME. 
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Once an emergency shutdown is commanded the processes for satisfying the 
command must be performed successfully to avoid catastrophic failure. The 
most critical functions are closing the OPOV and purging the OPB. 





















Table 5.15. Leakage of SSME/MPS Propellants Event Descriptions 

SMELP Propellant leakage causing fire or explosion in the aft-compartment. It is 

assumed that leakage of both oxygen and hydrogen is necessary to cause a fire 
or explosion. In addition it is also assumed that ignition always occurs given 
that both elements are present. _ 
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Figure 5.8. HPOTP Failure Mode Risk Contribution 








Figure 5.10. MCC Failure Mode Risk Contribution 
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of the ET and Orbiter and transmit this static weight load through their structure to the mobile 
launcher platform. Each booster has a thrust (sea level) of approximately 3.3 million pounds at 
launch. They are ignited after the thrust level of the three SSMEs is verified. The two ISRB provide 
71.4 percent of the thrust at lift-off and during the first stage of ascent. 
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Each SRB has four hold-down posts that fit into corresponding support posts on the mobile launcher 
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The ISRB participates in providing three top-level STS functions; these are failure to provide proper 
propulsion, failure to contain energetic gas or debris, and failure to maintain proper configuration 
(i.e. TVC). Unlike the SSME, the ISRBs do not act as redundant units for each other in the event 
of a loss of propulsion or thrust vectoring capability. A failure of either ISRB to provide these 
functions was considered to lead to LOV. 
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Configurational failures are malfunctions involving changes in orientation or physical connections 
between components. In this respect all configurational failures are due to SRB malfunctions and 
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Probability distributions for the failure rate of the sub-components included in the fault trees are 
determined from examining historical evidence. This poses a problem in the case of the ISRB because 
it is not routinely hot-fire tested; the vast majority of the data available is flight related. When there 



is insufficient direct experience for a particular event to estimate its failure rate, it is necessary to 
make an estimate based on the rate of occurrences of similar events in similar environments. All US 
solid rocket experience was recieved as possibly relevant to establish a surrogate data set for the 
RSRM. From this data set the following solid rocket systems were analyzed for the purposes of 
serving as surrogate failure data sources for the ISRB: 
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RSRM Wrong Thrust 

Thrust deviations were attributed to two causes: slag accumulation and inhomogeneous iron oxide. 
Slag accumulation was concluded to be the most likely cause of the pressure spikes in the RSRM 
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i, Late or Improper Holddown 

i, late or improper holddown release resulting in a catastrophic consequence may be due to two 
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BSRB THRUST VECTOR CONTROL 
SYSTEM FAILURE 


Figure 5 . 12 . ISRB Risk Contribution 
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The Space Shuttle Orbiter has three independent hydraulic systems similar to those found on large 
aircraft. These hydraulic systems are used to actuate the Orbiter aero-surfaces, throttle and gimbal 
the Orbiter main engines, deploy and steer the landing gear, apply the landing gear brakes, and retract 
the external tank/umbilical plates when the external tank separates from the Orbiter. Figure 5.13 
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A water spray boiler (WSB) system provides cooling of both the APU gearbox oil and the orbiter 
hydraulic fluid. The system consists of three identical, independent water spray boilers; one for each 
APU and hydraulic system. Each WSB cools the corresponding APU lube oil system and hydraulic 
system by spraying water onto their lines; as the water boils off, the lube oil and hydraulic fluid are 
cooled. The steam that boils off in each water spray boiler exits through its own exhaust duct. 



Water to cool the two heat exchangers is held in a bellows-type storage tank pressurized by GN2. 
Cooling of the oil and hydraulic fluid is effected by controlling the flow of water into the heat 
exchangers, as well as controlling the flow of hydraulic fluid through the exchanger. There are 
redundant controllers and temperature sensors for controlling the WSB. 
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As mentioned above, the hydraulic lines are warmed by hydraulic fluid passing through the 
Freon/hydraulic heat exchanger. The hydraulic lines in the various aerosurfaces are warmed by 
heaters. Each heated area has redundant heaters. 



1. Body Flap System - The body flap is used during re-entry to adjust vehicle trim and limit hinge 
moment on the elevons. Hydraulic power is used to position the flap by means of three pilot operated 
control valves that are mechanically ganged together. 
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There are three operational phases, namely Ascent through Orbital Insertion, Orbital Operations and 
Deorbit and Entry. 
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At 2 hours after lift-off the WSB steam vent heaters are turned on for 1.5 hours to eliminate ice from 
the WSB steam vents. Two and a half hours after lift-off, the APU fuel pump/fuel valve cooling is 
switched from the 'A' system to the B' system to avoid over heating the isolation solenoid. At 4 
hours the APU fuel/valve cooling is shutdown and at 6 hours GG/fuel pump heaters are turned on 
as mentioned above. 



On the day before deorbiting, one APU is started in order to have hydraulic pressure to check out the 
flight control system; i.e., to move the aerosurfaces. The associated WSB controller is activated, 
although the APU does not run long enough to require WSB operation. Fuel pump/valve cooling is 
activated. Landing gear isolation valves are closed before the APU is started and the isolation valves 
are reopened after the APU is shutdown. 
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Thrust vector control and aerosurface control use hydraulic actuators. Thrust vector control 
actuators have a switch valve connected to two APU/HYD systems. Loss of a single APU has no 
affect on thrust vector control. There are one pitch and one yaw actuator on each SSME. Loss of 
two APUs fails both TVC actuators on a single engine. Thrust aerosurface control actuators 
generally use all three APUs. Loss of two APUs maintains aerosurface control, but at 50% rate of 



movement. (See Table 5.16 for more detail). 
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Events within this initiating event category include: 
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The fault trees presented are for entire scenarios (that is, they are already linked). Each fault tree is 
identified with the scenario number of its associated event tree. We found this to be necessary in order 
to accurately model common cause and other dependencies among events. It was not necessary to 
model the APUs down to the component level within the fault trees. It was necessary to develop 
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Table 5.17. APU/HYD Hub Breakup and Overspeed Event Descriptions 
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arge Exhaust Gas or Hydrazine Leak 



The first damage scenario in this sequence is the possible damage of critical flight equipment due 
to leaking hydrazine or exhaust gases in the aft compartment 


This second damage scenario is overpressurization of the aft compartment due either to a large 
hydrazine leak or the accumulation of exhaust gas in the compartment. Prior to reentry, the vent 
doors are closed at the Software Major Mode (MM 304) transition (EI-5 minutes). Gas 
accumulation can begin at this point until the vent doors open at approximately Mach 2.4. Only 
0.3 PSID pressure is required to cause structural failure to the aft compartment. 
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APU/HYD Hydrazine Leaks During Ascent 




u 






5-52 




o a 
c *3 


Hi 


A non-detected leak would not result in a crew or ground initiated shutdown. If all of the 
APU/HYDs, including the leaking one, survive the ascent with no problems, then an ILO condition 
exists. The leaking hydrazine may affect the other APU/HYDs without failing the leaking unit, in 
which case if one APU/HYD unit fails, a MDFRU condition exists. If both remaining units fail, a 
PLSR2U condition exists. 






















ad 


fcs o 
a 

’8 

c 
o 

73 

•a 

o 

o 

£ 

Q 

s 

* 3 
a ■S 


•s 


<D 

<*— » 

Ja 


:§ 


G 
<D 

g 

W rtf 

G 


CD 


:a 


t * 

a 

C/3 

*a 

<D 


<D 

■s 

>52 


G 

.a O 

<y ;s 

^ 73 
. G 

t“ 

l§ 

5 si 

13 rt 

*r c 

|*J8 

6 7 

>-» c /2 

s •’i a 

S3 C*-J C/3 

cd .ts x 


.S 

•a 

ju 

<D 

03 

H 


G 

G 


■as 

si 

<D O 
oo O 



oo 

33 

,a 

<D 

| 

! 1 1 

0m 

-4-> 

G 

*3 

^ CD 51 
cd c ^ 
g -g g 

G 

G 

a -1 .2 

CD 

G 

03 

cs 2 .tq 

a s ^ 

*33 

oS 

£ 

7^ P G 
O u. o 


£ .2 «j 

• *-* <-• C/3 




00 

c§ 

4-t 

03 

CD 


G 

£ 

00 

I 

g 

3 

13 

*8 

6 


00 

D 

5! 

CD 

G 


u. 

0 

73 

M 

'M 

0 m 

CD 

>s 

1 

CD 

a 

C/3 

G 

•2 

CD 

00 

JJ 

G 

Pi 

• 4 — > 

03 

£? 


ir> 

iA 


are followed. 



Table 5.20. APU/HYD Hydrazine Leaks During Ascent Event Descriptions 





O 

&X> 

•a 

u> 

* o 

i 

<D 
.2 


CJ 

<D 

P- 

V 

a 

<D 

a T3 

a> <d 

04 O 

a> S3 
T3 "O 

.s .a 


■s 

c/T 

1 

I 

I 

a 

'S 

o 

D 

55 


T3 

ft 


§ 

•g 


•8 

0 

1 


0) <u 
CX W) 
CL) cj 


•o 

O 


il 

»~h (y 


a 

JQ 

u* 

O 

D 

C/3 

o 

c 3 

U 



W 

> 

w 


0) 

.s 

N 

c3 

w 

"O 

ffi 



1 

o 

a 

T3 0) 
eg g 

ii 

2 8 





Ln 

»o 
i r\ 



























This event sequence diagram makes several assumptions. First, it is assumed for modeling simplicity 
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Table 5.21. At Least One APU/HYD Unit Fails Without a Hydrazine Leak During Ascent 

Event Descriptions 
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This event begins with one unit fully operational, one unit unrecoverable, and one unit recoverable, 
but leaking. Unrecoverable failures and leaking units have been discussed previously. With the one 
APU/HYD unit unrecoverable, both remaining units are needed. One unit is leaking hydrazine, and 
the leak may lead to the unit failing itself, or the other unit failing due to hydrazine exposure. Both 











ing units may fail to either independent failures, due to the hydrazine leak, or due to a common 
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A method known as the Multiple Greek Letter (MGL) method was implimented to estimate the 
fraction of component failures attributed to dual or triple common cause failures of the APUs. A 
detailed algebraic development of the MLG method, along with other APU data analysis information, 
is contained information is provided in Appendix B.3. 
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5.1.4. Orbital Maneuvering System and Reaction Control System 
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All primary thrusters contain instrumentation for chamber pressure. 



Ascent 

Generally, there are two OMS thrusting periods: 
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propulsion leading to abort rather than LOV events. Moreover some or all of the impulse lost 
due to OMS malfunctions may be provided by the RCS. 

Successful system operation is critical during some abort scenarios which as noted before are 
out of scope. 



5.1.5. Orbiter Thermal Protection System 
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Figure 5.19. Bumthrough Profile Figure 5.20. Criticality Profile 
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Figure 5.21. TPS Min-Zone Partitioning 
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Table 5.23. TPS Min-Zone Catastrophic Failure Probabilities 












5.1.6. Risk Contribution of Orbiter Components 
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5.2.1. Orbiter Electric Power 
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The tanks are grouped in sets of one hydrogen and one oxygen tank. The number of tank sets 
installed depends on the specific mission requirement and vehicle. Up to five tank sets can be 
installed in the midfuselage under the payload bay liner of OVs 102, 104 and 105 (four sets maximum 
for OV 103). Up to four additional tank sets can be flown on the EDO pallet in the payload bay of 
these vehicles. 
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Supply and waste water system, which stores water produced by the fuel cells for drinking, 
personal hygiene, and orbiter cooling. The waste water system stores crew liquid waste and waste 
water from the humidity separator. The system also has the capability to dump supply and waste 
water overboard. 
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Support payloads with crew/software interface for activation, deployment, deactivation, 
retrieval. 
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The failure of any one pitch actuator, one yaw actuator, or one gimbal joint resulting in a loss to 
vector one SSME is not considered a catastrophic incident. Based on information in the Operational 
Flight Rules (Ref. 16), the other two SSME should have enough authority to overcome the one 
failure. Therefore a LOV is assumed to occur if two out of three SSME cannot be vectored. 
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Table 5.24. Systems Analysis Summary Results 
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6.1.1. Application of Uncertainty Bounds 
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All uncertainty distributions were assumed to be lognormally distributed with the point estimates 
serving as the mean and an error factor representing the level of uncertainty in the mean estimate. 
The lognormal distribution is a "natural" distribution for describing data which can vary by orders of 
magnitude. If the failure rate is expressed as 107 where e is some exponent, then describing the data 



as having a lognormal distribution is equivalent to describing the exponent, e, as having a normal 
distribution. The positive skewness of the lognormal distribution also lends itself to the general 
reliability-associated behavior of assessed data by accounting for less likely but large deviations such 
as abnormally high failure rates due to period slips in quality control. 
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Figure 6.1. Information Flow between Analysis Computer Modules 
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Figure 6.2. LOV Risk Uncertainty Distributions for Total Shuttle Mission 
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Figure 6.3. Distribution of Mean Loss-of-Vehicle Risk Among Shuttle Vehicle Elements. 
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studied during flight (e.g. landing gear tire reliability). 



Uncertainty distributions may be developed for various portions of the mission. This involves 
identifying and isolating functional failures which are phase specific and propagating the basic event 
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guarantee that the seal will not leak during flight it does give some indication of seal integrity which 
can be used to give some credit towards seal reliability. The accounting of partial credit was 



Difference in Mean 


An estimate of the risk of orbit and re-entry/descent may be conducted in a similar fashion. The in- 
orbit risk was attributed to latent hydrazine leakage which deflagrates during re-entry however the 
estimate showed relatively little risk compared to ascent and descent. The risk for ascent and descent 
as well as the respective contribution to each is shown in Figure 6.6. 
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shows that this implies that the first two accident sequences alone contribute over 10% of the entire 
Shuttle risk. These sequences are considered to be the risk drivers of the system and the 
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design improvement objectives may be established for various cost estimates. 
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The results of the PRA indicate that the Shuttle has been demonstrated to be by far the most reliable 
and least risky of all launch vehicles in the world (see Figure 7.1). However the distinctive advantage 
of the Shuttle as a returnable and reusable vehicle makes even this comparison fall short of the 
Shuttle's clear dominate position with respect to other vehicles. Despite this dramatic improvement 
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periods of time introduces interfacing risks which should be studied and understood. 
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STS Training Manual, SSME Orientation (Part A-Engine) (ME-1 10(A)RIR, Jan. 
1991) 
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Elimination of Process-Induced Failure Modes as a Source of SRM Unreliability 
(B. E. Suta, R. J. Kunz, AIAA 90-271 1, July 1990) 
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